The Gmail phishing attack is reportedly so effective that it tricks even technical users, but it may be just the tip of the iceberg. We’re seeing similarly simple but clever social engineering tactics using PDF attachments.

These deceitful PDF attachments are being used in email phishing attacks that attempt to steal your email credentials. Apparently, the heightened phishing activity that we have come to expect every year during the holiday season has not subsided.

Unlike in other spam campaigns, the PDF attachments we are seeing in these phishing attacks do not contain malware or exploit code. Instead, they rely on social engineering to lead you on to phishing pages, where you are then asked to divulge sensitive information.

At Microsoft Malware Protection Center, we continuously monitor the threat landscape for threats such as these PDF files that arrive via email and execute their payload from the web. We do this, not only so we can create security solutions for the latest threats, but also so we understand cybercriminal’s newest schemes and warn customers.

Awareness is an effective weapon against social engineering. We’re sharing some examples of these PDF attachments, including one that spoofs Microsoft Office, so you are armed with knowledge that you can use to detect these social engineering attacks.

Example 1: You received a document that Adobe Reader can’t display because it’s a protected Excel file, so you need to enter your email credentials

One example of the fraudulent PDF attachments is carried by email messages that pretend to be official communication, for instance, a quotation for a product or a service, from a legitimate company. These email messages may spoof actual people from legitimate companies in order to fake authenticity.

When you open the attachment, it’s an actual PDF file that is made to appear like an error message. It contains an instruction to “Open document with Microsoft Excel”. But it’s actually a link to a website.

Clicking the link opens your browser and brings you to a website, where the social engineering attack continues with a message that the document is protected because it is confidential, and therefore you need to sign in with your email credentials.

If you’re using Microsoft Edge, Microsoft SmartScreen will block this website, stopping the phishing attack.

However. if you’re using a browser that does not block the website and you click OK, you are led to the phishing site, which asks you to enter your email address and password. The website is designed to appear like you are opening an Excel file. The website goes to great lengths to mimic Microsoft Excel Online, but what you see in the site is not an Excel file, but just an image.

If you fall for this social engineering trick and enter your details, you are redirected to the site below, which says you entered your details incorrectly. But at this point, the attackers will have your email credentials. Once they have access to your email, the attackers can launch further phishing attacks against your contacts, or gain access to your social networking, online banking, or online gaming accounts.

Example 2: You received a PDF file from Dropbox and need to log in using your email credentials

Another example of these PDF attachments put on pretense that you need to sign in to online storage provider Dropbox to access your document. Just like the first example, this PDF document does not have malicious code, but contains a link to “View .PDF online”.

Clicking the link takes you to a fake Dropbox login page that gives you options to sign in using your Google, Outlook, AOL, Yahoo!, Office 365 or other email credentials.

Microsoft Edge users are protected from this threat. Using Microsoft SmartScreen, it stops this phishing attack from loading or serving further offending pages.

On the phishing page, options are tailored to look like a legitimate email sign in page. For example, clicking the Office 365 option brings up a window that may look authentic to an untrained eye.

It’s the same level of customization for the other options. For example, for the Google option, the window first asks you to choose whether you’d like to sign in using your organizational or individual account. This step is not present in the actual Google sign in process, but this may be done to help the attackers identify business-related account credentials. It then brings up the sign in page.

If you enter your details, an actual PDF document (hosted in Google Drive, not Dropbox) is opened in a window.

As part of the social engineering tactic, this is done so you don’t immediately suspect you were phished. By this time, the attackers will have your credentials. This last step can buy them more time to use your credentials before you realize you need to change your password.

We have seen other examples of PDF files being distributed via email and exhibiting the same characteristics. Just like the first two cases, these PDF files don’t contain malicious code, apart from a link to a phishing site. All of them carry the message that you need to enter your email credentials so that you can view or download the document. All of these attachments are detected as variants of Trojan:Win32/Pdfphish.

How to stay safe from phishing attacks

As we saw from these examples, social engineering attacks are designed to take advantage of possible lapses in decision-making. Awareness is key; that is why we’re making these cybercriminal tactics known.

Don’t open attachments or click links in suspicious emails. Even if the emails came from someone you know, if you are not expecting the email, be wary about opening the attachment, because spam and phishing emails may spoof the sender.

In these times, when we’re seeing heightened phishing attacks with improved social engineering techniques, a little bit of paranoia doesn’t hurt. For instance, question why Adobe Reader is trying to open an Excel file. Ask why Dropbox is requiring you to enter your email credentials, not your Dropbox account credentials.

Featured Posts

In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how rapid cyberattacks are different in terms of execution and outcome. In the second blog post, we provided some details on Petya and how it worked. In this final blog post, we will share: Microsoft’s roadmap of recommendations...

The word strategy has its origins in the Roman Empire and was used to describe the leading of troops in battle. From a military perspective, strategy is a top-level plan designed to achieve one or more high-order goals. A clear strategy is especially important in times of uncertainty as it provides a framework for those...

Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog,...

For several years now, policymakers and practitioners from governments, CERTs, and the security industry have been speaking about the importance of public-private partnerships as an essential part of combating cyber threats. It is impossible to attend a security conference without a keynote presenter talking about it. In fact, these conferences increasingly include sessions or entire...